unbound icon indicating copy to clipboard operation
unbound copied to clipboard
verified publisher icon NLnetLabs

Unbound not resolving subdomain

Open mietzen opened this issue 3 years ago • 0 comments

Describe the bug Subdomain of mullvad.net e.g. de7-wg.socks5.mullvad.net are not resolved.

$ dig de7-wg.socks5.mullvad.net @127.0.0.1 -p 5353

; <<>> DiG 9.16.27-Debian <<>> de7-wg.socks5.mullvad.net @127.0.0.1 -p 5353
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 64822
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:

;de7-wg.socks5.mullvad.net.	IN	A

;; Query time: 768 msec
;; SERVER: 127.0.0.1#5353(127.0.0.1)
;; WHEN: Wed Jun 15 07:29:26 UTC 2022
;; MSG SIZE  rcvd: 54

To reproduce Steps to reproduce the behavior:

  1. Setup Unbound following: https://docs.pi-hole.net/guides/dns/unbound/
  2. dig de7-wg.socks5.mullvad.net @127.0.0.1 -p 5353

unbound config

server:
    verbosity: 1

    interface: 127.0.0.1
    port: 5353
    do-ip4: yes
    do-udp: yes
    do-tcp: yes

    do-ip6: no
    prefer-ip6: no

    harden-glue: yes
    harden-dnssec-stripped: yes
    use-caps-for-id: no
    edns-buffer-size: 1232
    prefetch: yes
    num-threads: 1
    so-rcvbuf: 1m

    private-address: 192.168.0.0/16
    private-address: 169.254.0.0/16
    private-address: 172.16.0.0/12
    private-address: 10.0.0.0/8
    private-address: fd00::/8
    private-address: fe80::/10

Expected behavior Subdomains are correctly resolved

System:

  • Unbound version: 1.13.1
  • OS: Debian GNU/Linux 11 (bullseye) x64
  • unbound -V output:
Version 1.13.1

Configure line: --build=x86_64-linux-gnu --prefix=/usr --includedir=${prefix}/include --mandir=${prefix}/share/man --infodir=${prefix}/share/info --sysconfdir=/etc --localstatedir=/var --disable-option-checking --disable-silent-rules --libdir=${prefix}/lib/x86_64-linux-gnu --libexecdir=${prefix}/lib/x86_64-linux-gnu --disable-maintainer-mode --disable-dependency-tracking --disable-rpath --with-pidfile=/run/unbound.pid --with-rootkey-file=/var/lib/unbound/root.key --with-libevent --with-pythonmodule --enable-subnet --enable-dnstap --enable-systemd --with-chroot-dir= --with-dnstap-socket-path=/run/dnstap.sock --libdir=/usr/lib
Linked libs: libevent 2.1.12-stable (it uses epoll), OpenSSL 1.1.1n  15 Mar 2022
Linked modules: dns64 python subnetcache respip validator iterator

BSD licensed, see LICENSE in source package for details.
Report bugs to [email protected] or https://github.com/NLnetLabs/unbound/issues

Additional information I tested this on my piHole (x64) and inside a vanilla debian 11 VM (x64) with the same result. I also added a debug log of the query with verbosity 5 unbound.log

Workaround For now I found a workaround, I'm forwarding request to socks.mullvad.netto mullvads public DNS:

    private-domain: "socks5.mullvad.net"
    forward-zone:
            name: "socks5.mullvad.net"
            forward-addr: 193.138.218.74

mietzen avatar Jun 15 '22 07:06 mietzen